Slashdot Mirror

← Back to Stories (view on slashdot.org)

Observing Botnets with Honeynets

Posted by CmdrTaco on from the know-thine-enemy dept.

Susan Saradon writes "The Honeynet Project has released a new paper which deals with the observation of botnets. "Know Your Enemy: Tracking Botnets" discusses what Botnets are, who is using them, how, and why. It als introduces the tools "mwcollect" and "drone" which can be used for collecting an tracking Botnet activity. Nice to read and looking forward to the release of these tools."

7 of 118 comments (clear)

  1. 226,585 unique hosts!? by bigtallmofo · · Score: 5, Insightful

    During these few months, we saw 226,585 unique IP addresses joining at least one of the channels we monitored [...] This shows that the threat posed by botnets is probably worse than originally believed

    Doesn't this qualify as the understatement of the year? Never in my wildest dreams did I think a botnet would grow above a few tens of thousands hosts. There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

    Anyway, I couldn't have imagined a better or more authoritative write-up of botnets. Hopefully though it doesn't add fuel to the various ??AA organization's fire of declaring IRC a scourge on humanity.

    --
    I'm a big tall mofo.
    1. Re:226,585 unique hosts!? by mrtroy · · Score: 3, Insightful

      There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.

      Yes, there is, a lot of DDOS power. A lot of xdcc bots. Script kiddies with zero skills can pull it off.

      Hopefully though it doesn't add fuel to the various ??AA organization's fire of declaring IRC a scourge on humanity.

      Just because botnets use irc networks as a place of gathering does not mean IRC is a scourage on humanity. ??AA are not even worried about such things, there is no direct relationship between botnets and music/movies.

      I would not be surprised if there is at the least 10 times more unique hosts than they found.

      --
      [I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
    2. Re:226,585 unique hosts!? by Anonymous Coward · · Score: 1, Insightful

      Note that "unique IP adresses" also includes those of infected computers that reconnected during the the period the channels were monitored - assigning new IPs on a reconnect is very popular not only with modem / ISDN, but even with DSL ISPs.
      Some ISPs even assign a new IP every 12 or 24 hours, meaning that even if only a small part of that botnet was made up of nodes on a connection like that, they'd have a significant influence on the number of "unique IP adresses".

    3. Re:226,585 unique hosts!? by fm6 · · Score: 2, Insightful
      Never in my wildest dreams did I think a botnet would grow above a few tens of thousands hosts.
      Lots of people did, though. Not botnets as such, but it's been clear for several years that Windows is extremely vulnerable to automated infiltration.
      There's no explanation for such a botnet other than a professional full-time organization specifically created for profit.
      A "professional full-time organization" can be one guy. But I'm guessing you mean something more serious, like somebody's raised some investment capital, hired a team of programmers, and is quietly selling botnet services.

      That's not impossible, or even terribly unlikely, but it doesn't follow from the evidence stated. The size of a botnet isn't proof of anything, not when the propogation is automated. That's especially true when the bots are also viruses, that is, in charge of their own propagation. Then you get exponential growth.

    4. Re:226,585 unique hosts!? by Kent+Recal · · Score: 2, Insightful

      As I understand it, that figure was all botnets they monitored combined.
      Not a single one.

      But as we all know, on the internet "size doesnt matter much".
      Switch your bots to a lightweight (UDP based?) protocol, partition up the botnet or make it P2P and you can handle any insane number of bots.

      Remember, as soon as a new Windows vulnerability is discovered (the current rate seems to be about one serious remote exploit every 3 months) your malicious botnet-operator only needs to "plug in" the new exploit and have n bots dig through a pool of hundreds of thousands (probably millions) of vulnerable hosts just standing in line to join...

      I would not really be surprised if such a large (single) botnet would come into existence in the near future. I guess we'll soon be reading about regular busts on botnet operators as we're reading nowadays about the arrestment of (usually minor) worm programmers.

      And, on a different but related note, I want to repeat: microsoft is to blame! Sue them, leave the fuckin kids alone!

  2. Re:Are these BotNets responsible by maotx · · Score: 2, Insightful

    What gets me is how easy it is to find out which channel these bots go into and what commands they accept. What prevents any Joe-Blow with a little sniffer from logging into one of these 25,000+ bot rooms and sending them DoS or self-destruct commands? I'm really suprised that their isn't any "bot wars" from disgruntled 13-year olds (no offense to any 13 year old /.ers) who want to take control of all of thoses infected boxes.

    --
    I'm a virgo and on Slashdot. Coincidence? Yes.
  3. Re:Are these BotNets responsible by WormholeFiend · · Score: 2, Insightful

    what surprises me is that there arent any antibot /.ers who'll log on those botnets and self-destruct them.

    that is, if any 13 yo can do it... but IANASK (I am not a script kiddie), so...